WordPress is adding both ‘noopener and noreferrer’ tags to external AND internal links opening in a new tab. Essentially anything that opens in a new window or tab (target_blank) on your WordPress site.
We noticed this earlier today after updating an article then viewing it’s source.
If you set a link to open in a new tab, WordPress will now, apart from adding the target=”_blank” tag. WordPress also adds the rel=”noopener noreferrer” tag automatically.
Not only that if you open any old post and save it, the tag will get added automatically. This has probably been done to avoid what is known as Reverse Tabnabbing.
Website owners should help to prevent such attacks and exploiting of the vulnerability. WordPress has taken this step to protect users.
Reverse Tabnabbing occurs the attacker uses window.opener.location.assign() to replace the background tab with a malicious document.
- When you add noopener keyword, the new/other page cannot access your window object via window.opener
- The noreferrer keyword tells the browser to not collect HTTP referrer information when the link is followed.
- Firefox does not support noopener so you have to use rel=”noopener noreferrer”.
Reverse Tabnabbing can occur when we click on a link on a web page to open a new tab. That page opens in a new tab or window. If we come back to the main web page, behind our back, that page has changed to a different url. Most users may not notice the URL change.
When we come back to the original page we may be asked to log in again to our account. Attackers replace the original tab with a malicious document including the favicon. We usually don’t notice this url change. We enter our login details and we are hacked.
Were not sure how this change will effect our sites SEO. This url meta change was done to WordPress 4.7.4 as far as we know. When we find additional details we will update this article. We appreciate visitors to add their comments below.